On Sun, 6 Jun 2021 12:40:04 +0200 Bastian Germann <bastiangerm...@fishpost.de> wrote:
I have prepared a NMU RFS with the fix for buster at #983104.
Enclosed is the NMU debdiff that is approved by the Release Team and will be sponsored.
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog --- mupdf-1.14.0+ds1/debian/changelog 2020-11-07 10:20:45.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/changelog 2021-02-19 08:55:54.000000000 +0100 @@ -1,3 +1,13 @@ +mupdf (1.14.0+ds1-4+deb10u3) buster; urgency=high + + * Non-maintainer upload. + * Avoid a use-after-free in fz_drop_band_writer (CVE-2020-16600) + (Closes: #989526) + * Fix double free of object during linearization (CVE-2021-3407) + (Closes: #983684) + + -- Bastian Germann <bastiangerm...@fishpost.de> Fri, 19 Feb 2021 08:55:54 +0100 + mupdf (1.14.0+ds1-4+deb10u2) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch --- mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch 2021-02-19 00:54:26.000000000 +0100 @@ -0,0 +1,34 @@ +From: theshoals <thesho...@users.noreply.github.com> +Date: Mon, 4 May 2020 03:33:40 -0400 +Origin: http://git.ghostscript.com/?p=mupdf.git;h=96751b25462f83d6e16a9afaf8980b0c3f979c8b +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=702253 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-16600 +Subject: Bug 702253: Avoid a use-after-free in fz_drop_band_writer + +A use-after-free would occur when a valid page was followed by +a page with invalid pixmap dimensions, causing bander -- +a static -- to point to previously freed memory instead of a new +band_writer. +--- + source/tools/mudraw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/source/tools/mudraw.c b/source/tools/mudraw.c +index d17506d37..36536bd2c 100644 +--- a/source/tools/mudraw.c ++++ b/source/tools/mudraw.c +@@ -920,7 +920,14 @@ static void dodrawpage(fz_context *ctx, fz_page *page, fz_display_list *list, in + fz_always(ctx) + { + if (output_format != OUT_PCLM) ++ { + fz_drop_band_writer(ctx, bander); ++ /* bander must be set to NULL to avoid use-after-frees. A use-after-free ++ * would occur when a valid page was followed by a page with invalid ++ * pixmap dimensions, causing bander -- a static -- to point to previously ++ * freed memory instead of a new band_writer. */ ++ bander = NULL; ++ } + fz_drop_bitmap(ctx, bit); + bit = NULL; + if (num_workers > 0) diff -Nru mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch --- mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch 2021-02-19 08:55:54.000000000 +0100 @@ -0,0 +1,48 @@ +From: Robin Watts <robin.wa...@artifex.com> +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: Bug 703366: Fix double free of object during linearization. +origin: http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=703366 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3407 +Bug-Debian: https://bugs.debian.org/983684 + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d41aa..5761c3351773 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59d70..30197b4b8577 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { diff -Nru mupdf-1.14.0+ds1/debian/patches/series mupdf-1.14.0+ds1/debian/patches/series --- mupdf-1.14.0+ds1/debian/patches/series 2020-11-07 10:20:45.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/series 2021-02-19 08:55:54.000000000 +0100 @@ -14,3 +14,5 @@ 0014-Bug-701118-Handle-appending-large-display-list-nodes.patch 0015-Bug-701118-Limit-size-of-begin-layer-nodes-in-displa.patch 0016-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch +0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch +0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
